Happy August! Microsoft Weekly Round-Up
I feel like I've been offering up a bunch of guides lately. SecOps guides, both by MS & 3rd parties, best practices guides, all sorts of good stuff. But if you just want to roll up your sleeves and get deep into curated learning that's relevant and maintained, start here. If listening's more your jam, follow the Microsoft Security Podcast. You can't go wrong either way.
Remember way back when I said I thought MCAS was slowly making its way to https://security.microsoft.com as part of the integrated security experience? The shift appears to be happening, and it's starting with Microsoft Defender for Identity settings in public preview.
Oh wait, you wanted more best practices information? I failed to include a link above? Well buckle up, buckaroos, because there's been a recent flood of content for Sentinel! There's a new pre-reqs and best-practices doc for Sentinel deployment, one for usage (SOC activities and when to do them), and even one for data collection (so you don't accidentally over-charge yourself for data ingestion).
And that's not all. Sentinel has really come a long way with bi-directional incident sync, one of the biggest areas of customer feedback in the early days of the product. And while it's been around in preview since May, I don't think many folks have explored the 'Solutions' gallery, which enables single-step deployment of connectors, workbooks, analytics, parsers, and hunting queries, and supports public ratings. It's a lot easier than...well what was already pretty darn easy compared to other SIEM products.
As the world waits with bated breath for the release of Windows 365 (and you'll already have it half-deployed by the time you read this), Endpoint Manager's 2107 release brought support for the new solution. We'll be presenting webinars on Windows 365 in both August (what it is & how it works) and September (how to manage it). Sign up! Bring your friends!
The monthly updates to Endpoint Manager dovetail nicely with new security baselines for both Edge and Azure. Not a ton of changes in the Edge baseline, but they do go off support after a while, so it's worth assessing and updating.
Lastly, since I am in the process of building an Active Directory in my demo environment to support the forthcoming Windows 365 (have you heard?!?), I've been paying more attention to AD security concerns. First, here's a great description of all the different authentication types that exist in AD (remember when I was talking about not getting over-charged for data ingestion?), and second is a thing that seems fundamentally impossible, but somehow isn't. Yes: you can run AD without NTLM. Madness. Tread carefully, because here be dragons. The article won't even tell you how to do it, because it's pretty much guaranteed to be a CLM. But I mention it because, well, this happened. You now have a nuclear option.
Though I guess the better option for organizations that have little remaining infrastructure is to remove AD entirely. Yep. Cloud-only is the way! I've already opined about it a few times this year, but it's time to let go of your DC's, your OU's, your GPO's, and your one-way intransitive trusts. Just let it fade into the sunset, like a sailboat over the horizon. By: